A Hitch-Hacker’s Guide to the Galaxy – Developing a Cyber Security Roadmap for Executive Leaders
In this blog series, I am looking at steps that your organisation can take to build a roadmap for navigating the complex world of cyber security and improving your cyber security posture.
There’s plenty of technical advice out there for helping security and IT teams who are responsible for delivering this for their organisations. Where this advice is lacking is for executive leaders who may or may not have technical backgrounds but are responsible for managing the risk to their organisations and have to make key decisions to ensure they are protected.
This blog series aims to meet that need, and provide you with some tools to create a roadmap for your organisation to follow to deliver cyber security assurance.
Each post focuses on one aspect to consider in your planning, and each forms a part of the Cyber Security Assessment service which we offer to our member organisations in the UK Higher and Further Education sector, as well as customers within Local Government, Multi-Academy Trusts, Independent Schools and public and private Research and Innovation. To find out more about this service, please contact your Relationship Manager, or contact us directly using the link above.
View all episodes.
Episode 4: Who goes there? Friend or foe?
“That’s right … we demand rigidly defined areas of doubt and uncertainty”
quote from Douglas Adams, The Hitchhiker’s Guide to the Galaxy
[ Reading time: 11 minutes ]
When things go sour
In the last episode (Knock, knock, who’s there?), I talked about account management—how to let the good guys in and keep the bad guys out. The problem is that even the good guys can pose a threat to your organisation. Not intentionally—or not usually intentionally (although every organisation has a few bad apples)—but if one of your people gets caught out clicking an email link they shouldn’t, or opening a suspect email attachment, or using a USB stick that has an infected file on it, the consequences can be just as damaging to your organisation as a direct attack. And sometimes even more so. We call it the “blast radius”.
The more systems and data a person has access to, the greater the risk to the organisation—the blast radius—so you need to put protective measures in place to limit the damage. Those protective measures are access controls.
These controls are all about giving people access to the organisation’s network, systems and data, but only as much as they need. It’s the least privilege principle in action.
And it’s tricky to get right.
Play your cards right
Put in too many protections, and things stop working, it adds friction to workflows, people get frustrated, and the IT team gets flooded with complaints.
Put in too few protections, and you have a permissive regime where everything works but people and systems are operating with more access than they need.
It doesn’t take much to work out which of the two is the more common. You’ve guessed it. The one where everyone is happy because things work and the IT team aren’t fielding complaints.
But overly permissive access controls are a ticking time bomb as far as cyber risk is concerned.
And the big challenge here is that if everything seems to be working just fine, there’s no incentive for anyone to rock the boat. Many organisations don’t have strong governance mechanisms in place around access controls, and when IT teams know that there’s a problem, they need executive team support to address it, because it’s probably not going to be a smooth ride to get there and some people are going be upset along the way.
When we do a Cyber Security Assessment, we analyse the access controls in place to uncover where there are excessive permissions, which, in some cases, could lead an attacker to full control of your network.
Role up, role up
Virtually all organisations use Microsoft Active Directory (AD) as their identity and access management system. AD is built-in to every Windows server, desktop and laptop (and has been since 2000), and while other systems are available, they cost extra, and can add complexity, so most organisations in the education sector just stick with it.
It’s AD that assigns access controls to every user, computer and “service” on your network, which is called a “domain”. AD is fundamental to all Windows networks.
Your user access controls (or permissions) can be assigned to users or to groups of users. In every case, your users should be a member of one or more groups which defines their role. In many cases, the group might contain only one user, like “Chief Financial Officer”. The access permissions get assigned to the group rather than the individual. This is called role-based access control.
Why does this matter? It’s all about ensuring the right levels of access are assigned, and managing those permissions quickly and effectively when you need to.
If a user leaves the organisation, they get removed from the group and instantly their permissions are revoked. If a person changes role, they get removed from their current group and assigned to a new group. This revokes the permissions associated with their old job and gives them the appropriate permissions for the new job.
It sounds obvious, but it’s not automatic. If you don’t use role based access controls, then you end up creating a tangled web of individual user permissions which quickly becomes unmanageable and where it is impossible to keep track of who has permission to what.
Because every organisation is different, Active Directory doesn’t force you to do this one way or another. It is up to your IT domain administrators to determine how permissions get assigned. And that means it requires effective oversight and governance. And that’s where you come in as executive leaders. Some of the alternatives to AD can help, but there are numerous ways to solve the problem.
Ahead in the cloud
Things get more complex when we add cloud services to the picture. Virtually all organisations use MS365 or Google Workspace as a productivity platform, and for many staff and students, it is the now the primary means of creating and storing work. Applying access controls in the cloud requires a separate set of tools, regardless of which cloud platform is in use.
Last time I checked, MS365 has 9 configuration dashboards, each providing access to numerous settings which have an impact on the security of your user accounts and data in the cloud. This is a huge additional administrative workload for IT teams to take on, and as an executive team you shouldn’t assume that good security “on premises” equates to good security in the cloud.
The good news is that the cloud platforms themselves provide a lot of enhanced security features and provide better reporting of security status and issues. The MS365 SecureScore gives you a percentage measure of your cloud security with a breakdown of areas of focus and suggestions for improvements. This can be a useful measure to keep track of, and I’ll say more about this in Episode 7 (Known unknowns).
In our Cyber Security Assessment, we undertake a cloud security audit of your MS365 or Google Workspace tenancy. This is based on the Center for Internet Security benchmarks for these platforms, which consist of over 100 control settings which are regularly updated to reflect changes in the features and functionality of cloud platforms. So it’s valuable to have this check done regularly to make sure you are following best practices.
Growing pains
Because it’s been around for so long, your organisation’s Active Directory has probably grown significantly over time. It will have seen changes in the administration team and different approaches to access control and security. And if your organisation has seen mergers with others, there’s every possibility that you have multiple domains in place. To make these work, they can be linked in domain “forests”, with high-level permissions (called “trust relationships”) established to enable a person or computer in one domain to access resources in another trusted domain.
In all likelihood, your Active Directory domain has been managed over time on a “best endeavours” basis by your IT team, without governing policies or other oversight mechanisms to ensure best practice is followed.
In an ideal world, you’d wipe the slate clean and start afresh. Sometimes that’s the best, or only, option when the web of permissions becomes so complex that security cannot be assured. But it’s not an easy task to undertake and so is rarely implemented. Organisations with complex domains are most at risk of compromise, and as an executive team you need to make sure that this fundamental aspect is well governed and managed.
In our Cyber Security Assessment, we conduct a security health check of your Active Directory domain and provide you with a report of security weaknesses, prioritised by severity to help you plan your remediation efforts, and with detailed guidance on remediation actions. We also show you how to build a programme of regular reviews so that you can keep abreast of changes to AD to ensure that you are always following best practices.
A Final [Deep] Thought
In the next episode of A Hitch-Hacker’s Guide to the Galaxy, we’ll be looking at how to secure your organisation’s data on laptops, tablets and phones. Data, data, everywhere…
For now, you can take useful steps forward by undertaking a security review of your Active Directory and MS365 or Google Workspace tenancy, and reviewing the governance mechanisms you have in place to ensure role based access control best practices are enforced. Do you maintain an inventory of your privileged user and service accounts? Are your IT admins using a tiered administration model with separate accounts for administrating different systems? Do the admins of your key line of business applications have separate accounts for their day-to-day business? How do you ensure that excessive permissions are not assigned to user and service accounts?
James Bisset is a Cyber Security Specialist at Jisc. He has over 25 years experience working in IT leadership and management in the UK education sector. He is a Certified Information Systems Security Professional, Certified Cloud Security Professional, and is a member of the GIAC Advisory Board.